Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An apparently known "feature" of how mod_perl and srand interact is that different mod_perl child processes all get the same seed for generating random numbers. http://marc.info/?l=apache-modperl&m=123904225030744&w=1 Because of this random numbers generated by the clients all follow the same pattern. The most obvious side effect of this is that logging in as a practice user, logging out, waiting 10-15sec for the child process to die, then logging back in as a practice user always gives you the same practice user. However, there is a very good possibility that this is having other side effects and it certainly has negative security implications.
The proper solution to this is to add something which calls srand once per child, which is what I have done by adding the line
PerlChildInitHandler "sub { srand }"
to the apache configuration files. To test:My guess is that this pull is appropriate for release-2.11 but its quite possible that some feature or another actually depended on different child processes all receiving the same seed. However, such a feature would have to run early in the life of a child process before the random number generators diverged. On the other hand this means that up until now there has been significantly less randomness to things like authentication tokens. I would say this is a change worth making, but there might be some gotchas.
P.S. It turns out srand is called before cookie keys are created, so this will have less of an impact than it might have because at least for some children srand was getting run pretty early.